Sunday

23rd Apr 2017

Restaurants and hotels worried by EU data bill

  • Small business such as hotels oppose the European Parliament's draft data bill (Photo: Biblioteca de Arte / Art Library Fundação Calouste Gulbenkian)

Small businesses such as bed and breakfasts or cafes will have to hire a data protection officer (DPO) under new rules currently being fine-tuned by the European Parliament.

The parliament says any business that has 500 or more clients a year will require a data protection office to make sure data is secured and laws are being followed.

Dear EUobserver reader

Subscribe now for unrestricted access to EUobserver.

Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.

  1. Unlimited access on desktop and mobile
  2. All premium articles, analysis, commentary and investigations
  3. EUobserver archives

EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.

♡ We value your support.

If you already have an account click here to login.

But small and medium-sized businesses (SMEs) say this is an unwelcome additional expense in an economy where many are struggling.

The European Commission in its impact assessment report estimates that an SME would have to pay around €1,000 extra each year to have someone ensure protocol is met.

The commission had proposed exempting businesses with fewer than 250 employees from having to hire a DPO, but parliament scrapped the exemption and introduced the 500 clients threshold.

“The commission made an exception for SMEs and they had a reason for that,” said Marta Machado, a policy advisor at the Brussels-based Hortrec, an umbrella organisation for hotels, restaurants, and cafes in Europe.

An average SME in Europe has less than 16 employees. Many others have only one person.

German Green Jan Philipp Albrecht, the lead negotiator on the file at the European Parliament, amended the commission’s draft to include any business with at least 500 or more clients or "data subjects."

A data subject is anyone who has their data processed. Reservation dates, names, addresses and credit card details are among the data a hotel uses to process information on its clients.

Keeping those details in check and making sure they are properly secured is among the tasks of a DPO.

But Dora Szentpaly-Kleis, a legal advisor at the Brussels-based European Association of craft, small and medium-sized enterprises (Ueampe), told this website: “Our problem is not that he [Albrecht] changed the approach because it might make sense to link the number to the data subject but we have the impression that the 500 is a very low number.”

“How did they assess this number because there was no interaction on this issue between the rapporteur and us,” says Szentpaly-Kleis.

A parliamentary source familiar with the file said the number "was open to negotiation."

Germany only member state with data protection officers

Germany is the only member state that currently requires a DPO.

For almost 30 years, any company with at least five employees had to hire an outside consultant to review how personal data was handled. The employee threshold was raised to 10 in 2006 after a legislative reform on data protection.

Werner Hulsmann, a Bonn-based data protection officer who has been working as a freelance DPO since 2004, agrees there are some costs to small businesses but risk of a data breach or violation decreases.

The German experience is varied according to company type, size and whether or not it has locations in other countries.

A 2012 survey by the Bonn-based consultancy firm 2B Advice GmbH found that businesses with up to 50 employees spend just over €1,000 per year on a DPO. Cost increases to over €660,000 for companies with more than 50,000 employees.

The survey assessed 375 German companies, including 90 multinationals.

It noted that a large percentage of data violations come from simple negligence like leaving documents in a printer. Unsecured and unencrypted IT was another weakness. The unlawful processing of personal data was less frequently cited as a violation.

The survey also found that over 38 percent of all in-company data privacy officers do not feel sufficiently well informed well informed about data privacy violations within the company.

“It doesn’t matter how many people or employees work on personal data, they have to accept and follow the rules of data protection,” says Hulsmann.

Focus

The Acta debate - will innovation be stifled?

Opponents of Acta, the controversial anti-counterfeiting treaty up for vote in the European Parliament in July, say, among other things, that it would stifle innovation. Advocates say the exact opposite.

Eurogroup makes 'progress' on Greek deal

Eurozone ministers endorsed an agreement in principle between the Greek government and its creditors over a new package of reforms. But talks on fiscal targets and debt could still block a final agreement.

New anti-trust complaint looms over Microsoft

At least three security software companies “met several times” with the European Commission to complain about Microsoft’s alleged abuse of its market position. A formal case could follow.

Commission stops German-British stock merger

The decision to block the merger of the London Stock Exchange and Deutsche Boerse was expected, as negotiations between the parties broke down a few weeks ago.

SMEs lack support in EU financial plan

The European Commission's plan for a capital markets union is said to be aimed at small and medium-sized enterprises, but many could end up being left out in the cold.

New anti-trust complaint looms over Microsoft

At least three security software companies “met several times” with the European Commission to complain about Microsoft’s alleged abuse of its market position. A formal case could follow.

Investigation

MEPs oppose EU agency to prevent Dieselgate II

The European Parliament said on Tuesday that there should be more EU oversight on how cars are approved, but stopped short of calling for an independent EU agency.

Stakeholders' Highlights

  1. Nordic Council of MinistersDeveloping Independent Russian-Language Media in the Baltic Countries
  2. Swedish EnterprisesReform of the European Electricity Market: Lessons from the Nordics, Brussels 2 May
  3. Malta EU 2017Green Light Given for New EU Regulation to Bolster External Border Checks
  4. Counter BalanceCall for EU Commission to Withdraw Support of Trans-Adriatic Pipeline
  5. ACCAEconomic Confidence at Highest Since 2015
  6. European Federation of Allergy and Airways60%-90% of Your Life Is Spent Indoors. How Does Poor Indoor Air Quality Affect You?
  7. European Gaming and Betting AssociationCJEU Confirms Obligation for a Transparent Licensing Process
  8. Nordic Council of MinistersNordic Region and the US: A Time of Warlike Rhetoric and Militarisation?
  9. European Free AllianceEFA MEPs Vote in Favor of European Parliament's Brexit Mandate
  10. Mission of China to the EUXinhua Insight: China to Open up Like Never Before
  11. World VisionViolence Becomes New Normal for Syrian Children
  12. International Partnership for Human RightsTime to Turn the Tide and End Repression of Central Asia's Civil Society

Latest News

  1. Le Pen-Putin friendship goes back a long way
  2. Mogherini should tell Russians their rights matter
  3. Le Pens Freunde aus dem Trump Tower
  4. Sexe et mensonges: l'information russe sur l'UE
  5. Report: Post-Brexit payments, ECJ jurisdiction could last years
  6. Oxford study raises alarm on 'junk' news in France
  7. Thousands to march in defence of science
  8. Illicit Russian money poses threat to EU democracy